The inspection will aim at the legality of
the personal data transfer (particularly the birth certificate numbers of
insured persons) to the USA via cookies (ads/ga-audiences, NID, _ga, _gat,
_gid, collect), the inspection will also check the safeguards surrounding this
transfer as well as the compliance with the information obligation during the
processing of personal data in the central reservation system for COVID-19
vaccination. Mr Jiří Kaucký, the president of the office, said: “We will
check how the personal data of the Czech Republic´s citizens are treated when
they register via the central reservation system for COVID-19 vaccination and
whether it is in line with the General Data Protection Regulation.”
In this context, the office received on 20
January 2021 a data breach notification from the Czech Ministry of Health and
from the National Agency for Communication and Information Technologies.
Reportedly, an error in the functionality of the reservation system (https://reservatic.com/ockovani?cpoj=xxxxxxxxx&pin2=yyyyyy
) operated by a private supplier
should have caused that the insured person number (including the birth certificate
displayed and transferred to the Google Analytics system whereby it was shared
with the Google corporation. Pursuant to the notification, appropriate remedial
measures have already been taken. The office will put these measures to a meticulous
scrutiny and will assess their sufficiency and appropriateness and order, if
necessary, to the controller (the Ministry of Health) or to the processor (the
system supplier) to take further steps.
The office will also prove, if the given
data processing respects the conclusions of the CJEU judgment in case C-311/18
restricting the transfer of personal data outside the European Union.
The public will be informed about the
inspection findings and the relevant office´s conclusions in due time.